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I am delighted to introduce this global research project which Clearswift 
has undertaken to examine IT security policies within businesses. 

This report follows on from the hugely successful series of reports 
published in April 2010 examining corporate attitudes towards Web 2.0 
technologies, and the use of such tools in the workplace. 

The results of the original research illustrated a significant mind shift 
amongst businesses, making it clear that businesses now accept that Web 
2.0 and other collaborative technologies are critical to the future success 
of their company. 

But as the corporate IT landscape becomes ever more complex, undergoing 
rapid changes as a result of the impact that Web 2.0 technologies have 
had, how prepared are companies, and more importantly, their staff, to 
cope with the ensuing security challenges? 

This new research moves on to examine attitudes towards IT policies in 
companies around the world, and the results are both fascinating and 
thought-provoking. 

One particularly interesting finding is the apparent lack of training of 
employees when it comes to IT policies - many staff report only receiving 
training when they first join a company, and with technology changing 
so rapidly, this clearly isn't ideal. The reality is that staff can be a vital 
component for safeguarding data and information security within a 
business. Ensuring staff know and understand policies can be a huge 
advantage to companies. 

IT security companies have for too long made a living out of making their 
customers feel insecure, trading on fear and negativity to maximise profit. 
It is clear to me that in order to be more secure, companies must first stop 
feeling insecure. 

My overarching message as a result of this report is simple - IT security 
must be brought out of the dark depths of the IT department and given 
clarity across the organisation. By having a relevant and current security 
policy in place, a company is enabling its employees to get on with the 
jobs that they need to do and aiding productivity and innovation. 
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Key Stats 

71% of office workers say company 

has clear Internet policy that most 

employees understand 

50% of office workers have discussed 

Internet policy with colleagues in the 

last 12 months, but only 29% have 

received training on the subject during 

this time 

22% do not know if their Internet use is 

monitored at work 

Only 15% of office workers are concerned 

that they may be inadvertently breaching 

security policy - but security breaches 

are most likely to be attributed to 

ignorance / lack of understanding (63%) 

Results of the Clearswift Security Awareness 
Survey are based on 2000 online interviews 
with office workers in UK, USA, Australia, 
Germany and Netherlands. 
The research was conducted by Loudhouse, 
an independent market research consultancy 
based in London 



Summary 

As technology for sharing information becomes more and more embedded 
in our lives, it becomes more and more important for those with access to 
data in the workplace to understand what uses of data are permitted and 
which activities may be putting data at risk. 

The Clearswift Security Awareness Survey explores the extent to which 
office workers understand the data security implications of their day-to-day 
activities and highlights an interesting data security phenomenon amongst 
office workers. It appears that employees in office environments have a 
misplaced confidence in their own levels of understanding and are not 
always equipped with the knowledge they need to keep data safe. As such, 
data security can be regarded as an "unknown unknown" - workers who 
think they understand data protection are not aware that they need more 
information and guidance. 

Overconfidence can therefore be seen as the main data protection 
hazard in today's office environments. Employees are confident that they 
understand what is safe and what is permitted, which is leading many to 
take a casual attitude toward IT generally, often "freestyling" and blindly 
moving data from place to place without consideration of potential security 
risks. This situation is being compounded by the fact there is a lack of 
consistent communication about security policy, and consequently many 
office workers do not understand it fully. Despite the fact that the majority 
of office workers in this survey consider themselves to be risk-averse, 
individually and collectively they are inadvertently leaving their employers 
exposed to data security risks. 

In order to drive best practice in data security, Clearswift advises 
employers to actively engage their employees in a dialogue about security, 
responsibility, and risk. 
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'technology for sharing information becomes 
more and more embedded in our lives' 



Policy in practice 

With Internet use a ubiquitous part of working life for many, it is not 
surprising that most employers now have internet policies in place. 
Indeed, 71% claim that not only does their employer have such a policy, 
but that most of their fellow employees understand the policy which 
is in place. Only 20% say their company has no official policy at all. 
Furthermore, these policies for the most part are considered by employees 
to be fair and comprehensible - only 10% see their employers' rules as 
unfair, and only 8% feel employer policy makes no sense. 

Despite the existence of Internet policies and high reported levels 
of understanding of such policies amongst office workers, formalised 
communications around Internet policies are non-existent at worst, 
patchy at best. Whilst Internet use policy may be a topic of "water cooler" 
conversation, Figure 2 shows that half of office workers (50%) have had a 
conversation about Internet use policy in the last 12 months. In contrast, 
only 29% have had a dedicated training session on the policy within that 
time, and only 14% have raised a query to see if something they were doing 
was permitted under company policy. Indeed, half of respondents have 
never had a dedicated training session on their current company's security 
policy. Indeed, 38% have had no training at all about security issues in their 
current job (whether in a dedicated session or otherwise.) This suggests 
that even those who have had some training (at an induction or a scheduled 
session), are not provided with up-to-date information as they move through 
their organisations. 

Employees feel that their companies are being proactive about security 
- 58% believe that their employer proactively encourages employees to 
understand and implement the policies they have, and generally see the 
policies as well-intentioned, but it is clear that the gap between good 
intentions and concrete action is large for many employers. 
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'employees understand the policy which 
is in place 9 



Compliance confusion 

The majority of office workers claim general understanding of their 
employers' internet policies, but many still experience confusion about 
aspects of that policy. Monitoring of internet use at work is the largest area 
of confusion: 21% say that their employer's electronic monitoring is the 
single most confusing aspect of using the internet at work. Figure 3 shows 
that over 1 in 5 office workers (22%) does not know if their internet use is 
being monitored at work. Of those (57%) who know that their internet use 
at work is monitored, 38% feel that their employer accesses information 
about personal internet use more than is necessary to maintain security. 
As one respondent put it "No-one knows exactly who sees the Internet 
activity and what sort of information is on the reports, how often it is 
looked at and shared." 

Levels of office worker understanding of data security issues are shown 
in Figure 4. Confidence is highest in understanding what data can be sent 
via email (79% are confident), what it is okay to do on work related social 
media (65%) and lower for understanding the security on work email (52%). 

Other areas of employee data security confusion relate to the following: 

• Who has access to data about my Internet use at work 

• What data I can share with people in other functions and departments 

• What data I am allowed to share outside work 

• What I can say about work to others 

• Who I can communicate with when I am at work 





'Monitoring of internet use at work is the 
largest area of confusion' 



Casual compliance 

Interestingly, although personal levels of data security confidence are high 
- only 15% of office workers are concerned that they may be inadvertently 
breaching company security policy through their use of the Internet - 
63% of office workers attribute most security breaches to ignorance or a 
lack of understanding [Figure 5]. It seems therefore that office workers 
have a tendency to rate their own level of understanding of data security 
issues as higher than everyone else's! It is also worth noting that 1 in 5 
people think security breaches occur in order to get jobs done efficiently 
or effectively, whilst 11% think they are down to frustrations with 
unrealistic IT security policy. 

Part of the problem appears to stem from an attitude of casual compliance. 
Office communications can be likened to a game of "Chinese whispers" 
with half of office workers (50%) reporting that there are informal rules 
about the internet at work, and that most people understand what's 
acceptable, regardless of what the official policy says [Figure 6]. Without 
training and consistent, up-to-date communication on company policy, lines 
between these informal standards and actual policy are being blurred and 
company data is being left exposed. 

With only 27% of office workers thinking that their company could be 
better at communicating its online security policy, it seems that security 
is "off the radar" for many people and not a top-of-mind concern in 
their day-to-day rush to get their jobs done. Patchy levels of confidence 
around data security issues only serve to paint a picture of misplaced 
confidence amongst both employees and employer and to highlight 
the need for security policy to be more fully and more frequently 
communicated by employers. 




'1 in 5 people think security breaches occur in 
order to get jobs done efficiently or effectively' 



IT free-styling 

Office workers around the world are using a range of technologies in 
order to do their jobs and manage their personal lives. The boundaries 
between work and home use and appropriate and inappropriate use of 
technology are ever-shifting and essentially unclear. Figure 5 shows just 
some examples of where office workers are essentially IT free-styling, 
applying their own rules to technology use, regardless of what official 
policy says. 44% of office workers report storing data at work on personal 
memory devices, 39% download software to their computer at work and 
25% use personal accounts on social networks to comment about their job. 
As one respondent put it "/ access my personal email accounts and also do 
shopping during my lunch hour. I'm hoping that no-one can see my card 
details or read my emails." 

Most of the online activity during the day is likely personal, since only 14% 
use social media for work purposes (i.e., contributing to Facebook, Twitter, 
Linkedln, or another social site as part of their job descriptions). Email still 
dominates work communication, and much of this email is hosted in the 
cloud, raising security issues of which employees may not be aware. 74% 
frequently use email and other web-based mediums to communicate with 
customers or clients about business. 

In short, office workers are using a variety of technologies, at varying levels 
of risk on a regular basis. The fact that office workers remain confident that 
they are compliant with data security policy in the absence of formalised 
training around such issues is a cause for concern. This situation is clearly 
untenable in the long term as data protection threats become more diverse 
and sophisticated, technology becomes more mobile and the lines between 
personal and work lives continue to blur. 
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Summing up 

It is clear that, whilst employees are confident that they understand 
their employers' security policies this confidence is often unwarranted. 
Knowledge is too often transmitted informally, through conversations 
between employees, and hardened into informal guidelines that can 
supersede actual data protection policies in the absence of training. 
IT 'freestyling' blurs the lines between personal and work technology, 
creating risks as sensitive work data is stored on personal USB sticks and 
personal information feeds through work laptops. 

This situation is risky in the long run, to both employers (who may suffer 
the consequences when workers break the rules) and to employees (who 
may inadvertently be revealing personal information through workplace 
monitoring or opening themselves up to career risk.) There are high levels 
of goodwill within organisations, however, and this creates the chance for 
outreach to close the security gap. 

The most forward-thinking organisations will need to close security gaps by 
acting on two problems at once. Technological solutions can help keep data 
under control, by automating enforcement and limiting risk. More regular 
training is needed alongside these solutions however, if employees are to 
feel confident about acting to protect sensitive data at work. 
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